PaulDotCom mailing list archives

Re: Nessus Scans killing ASA 5505

From: Paul Asadoorian <paul () pauldotcom com>
Date: Thu, 21 Jul 2011 13:57:58 -0400

Hi Ron,

Just a couple of things I noticed:

1) Try switching to a TCP scan instead of a SYN scan, it will be a
little slower but may cause less problems with the firewall

2) Your max checks per host and max hosts per scan are set really high,
this is likely the reason the firewall is spiking CPU. Try tuning these
back (start with 5 hosts at a time and 10 checks per host).

3) Feel free to open a support ticket and the fine folks at Tenable
support can assist you further.

Thanks!

Cheers,
Paul

On 7/21/11 12:02 PM, Ron Henry wrote:

This problem is probably due to my current gateway not being able to
keep up, but here goes.

I'm scanning 10 or so /24s as part of a vuln assessment. I'm running
4.4.1. The scan using the following scan policy, brings the ASA 5505 to
it's knees. CPU utilization goes to 98% and stays there until the device
eventually locks up. I'm honestly probably at the point where I just
need to move to beefier firewall, but I figured I would run it by you
guys first.

There are no complicated firewall rules in place and threat detection is
disabled.


The scan policy can be viewed at
http://www.ciphermonk.net/photos/scan_policy.png

Thanks for your help.

- Ron Henry (dijital1)

Website: http://www.ciphermonk.net <http://www.ciphermonk.net/>
<http://www.ciphermonk.net/>Email: rlh () ciphermonk net
<mailto:rlh () ciphermonk net>
Twitter: http://twitter.com/dijital1
LinkedIn: http://www.linkedin.com/in/dijital1

%JMNU%521*-;UU  -GbU-   aUP
%JMNU%521*-A3FSP
%JMNU%521*-`4B-920-7BP
%JMNU%521*-   94i-C3-43P
%JMNU%521*-Bc2F-AR1C-AEBP
%JMNU%521*-e3+T-U26-DBGP
%JMNU%521*-bE41-KFF2-D232P
%JMNU%521*-3Bb}-4+}A-3VAP



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
Fax: 1.877.846.2187
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Nessus Scans killing ASA 5505 Ron Henry (Jul 21)
- Re: Nessus Scans killing ASA 5505 Paul Asadoorian (Jul 21)
  - Re: Nessus Scans killing ASA 5505 Butturini, Russell (Jul 21)
    - Re: Nessus Scans killing ASA 5505 Ron Henry (Jul 22)
- Re: Nessus Scans killing ASA 5505 Albert R. Campa (Jul 21)